// Copyright 2015 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include <keyhi.h>
#include <openssl/bn.h>
#include <openssl/ecdsa.h>
#include <openssl/rsa.h>
#include <pk11pub.h>
#include <prerror.h>

#include <utility>

#include "base/logging.h"
#include "base/macros.h"
#include "base/memory/ptr_util.h"
#include "base/sequenced_task_runner.h"
#include "crypto/scoped_nss_types.h"
#include "crypto/scoped_openssl_types.h"
#include "net/cert/x509_certificate.h"
#include "net/ssl/client_key_store.h"
#include "net/ssl/ssl_platform_key.h"
#include "net/ssl/ssl_platform_key_task_runner.h"
#include "net/ssl/ssl_private_key.h"
#include "net/ssl/threaded_ssl_private_key.h"

namespace net {

namespace {

    void LogPRError()
    {
        PRErrorCode err = PR_GetError();
        const char* err_name = PR_ErrorToName(err);
        if (err_name == nullptr)
            err_name = "";
        LOG(ERROR) << "Could not sign digest: " << err << " (" << err_name << ")";
    }

    class SSLPlatformKeyNSS : public ThreadedSSLPrivateKey::Delegate {
    public:
        SSLPlatformKeyNSS(SSLPrivateKey::Type type,
            crypto::ScopedSECKEYPrivateKey key)
            : type_(type)
            , key_(std::move(key))
        {
        }
        ~SSLPlatformKeyNSS() override { }

        SSLPrivateKey::Type GetType() override { return type_; }

        std::vector<SSLPrivateKey::Hash> GetDigestPreferences() override
        {
            static const SSLPrivateKey::Hash kHashes[] = {
                SSLPrivateKey::Hash::SHA512, SSLPrivateKey::Hash::SHA384,
                SSLPrivateKey::Hash::SHA256, SSLPrivateKey::Hash::SHA1
            };
            return std::vector<SSLPrivateKey::Hash>(kHashes,
                kHashes + arraysize(kHashes));
        }

        size_t GetMaxSignatureLengthInBytes() override
        {
            int len = PK11_SignatureLen(key_.get());
            if (len <= 0)
                return 0;
            // NSS signs raw ECDSA signatures rather than a DER-encoded ECDSA-Sig-Value.
            if (type_ == SSLPrivateKey::Type::ECDSA)
                return ECDSA_SIG_max_len(static_cast<size_t>(len) / 2);
            return static_cast<size_t>(len);
        }

        Error SignDigest(SSLPrivateKey::Hash hash,
            const base::StringPiece& input,
            std::vector<uint8_t>* signature) override
        {
            SECItem digest_item;
            digest_item.data = const_cast<uint8_t*>(reinterpret_cast<const uint8_t*>(input.data()));
            digest_item.len = input.size();

            crypto::ScopedOpenSSLBytes free_digest_info;
            if (type_ == SSLPrivateKey::Type::RSA) {
                // PK11_Sign expects the caller to prepend the DigestInfo.
                int hash_nid = NID_undef;
                switch (hash) {
                case SSLPrivateKey::Hash::MD5_SHA1:
                    hash_nid = NID_md5_sha1;
                    break;
                case SSLPrivateKey::Hash::SHA1:
                    hash_nid = NID_sha1;
                    break;
                case SSLPrivateKey::Hash::SHA256:
                    hash_nid = NID_sha256;
                    break;
                case SSLPrivateKey::Hash::SHA384:
                    hash_nid = NID_sha384;
                    break;
                case SSLPrivateKey::Hash::SHA512:
                    hash_nid = NID_sha512;
                    break;
                }
                DCHECK_NE(NID_undef, hash_nid);
                int is_alloced;
                size_t prefix_len;
                if (!RSA_add_pkcs1_prefix(&digest_item.data, &prefix_len, &is_alloced,
                        hash_nid, digest_item.data, digest_item.len)) {
                    return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
                }
                digest_item.len = prefix_len;
                if (is_alloced)
                    free_digest_info.reset(digest_item.data);
            }

            int len = PK11_SignatureLen(key_.get());
            if (len <= 0) {
                LogPRError();
                return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
            }
            signature->resize(len);
            SECItem signature_item;
            signature_item.data = signature->data();
            signature_item.len = signature->size();

            SECStatus rv = PK11_Sign(key_.get(), &signature_item, &digest_item);
            if (rv != SECSuccess) {
                LogPRError();
                return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
            }
            signature->resize(signature_item.len);

            // NSS emits raw ECDSA signatures, but BoringSSL expects a DER-encoded
            // ECDSA-Sig-Value.
            if (type_ == SSLPrivateKey::Type::ECDSA) {
                if (signature->size() % 2 != 0) {
                    LOG(ERROR) << "Bad signature length";
                    return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
                }
                size_t order_len = signature->size() / 2;

                // Convert the RAW ECDSA signature to a DER-encoded ECDSA-Sig-Value.
                crypto::ScopedECDSA_SIG sig(ECDSA_SIG_new());
                if (!sig || !BN_bin2bn(signature->data(), order_len, sig->r) || !BN_bin2bn(signature->data() + order_len, order_len, sig->s)) {
                    return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
                }

                int len = i2d_ECDSA_SIG(sig.get(), nullptr);
                if (len <= 0)
                    return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
                signature->resize(len);
                uint8_t* ptr = signature->data();
                len = i2d_ECDSA_SIG(sig.get(), &ptr);
                if (len <= 0)
                    return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
                signature->resize(len);
            }

            return OK;
        }

    private:
        SSLPrivateKey::Type type_;
        crypto::ScopedSECKEYPrivateKey key_;

        DISALLOW_COPY_AND_ASSIGN(SSLPlatformKeyNSS);
    };

} // namespace

scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKey(
    X509Certificate* certificate)
{
    crypto::ScopedSECKEYPrivateKey key(
        PK11_FindKeyByAnyCert(certificate->os_cert_handle(), nullptr));
    if (!key) {
        return ClientKeyStore::GetInstance()->FetchClientCertPrivateKey(
            *certificate);
    }

    KeyType nss_type = SECKEY_GetPrivateKeyType(key.get());
    SSLPrivateKey::Type type;
    switch (nss_type) {
    case rsaKey:
        type = SSLPrivateKey::Type::RSA;
        break;
    case ecKey:
        type = SSLPrivateKey::Type::ECDSA;
        break;
    default:
        LOG(ERROR) << "Unknown key type: " << nss_type;
        return nullptr;
    }
    return make_scoped_refptr(new ThreadedSSLPrivateKey(
        base::WrapUnique(new SSLPlatformKeyNSS(type, std::move(key))),
        GetSSLPlatformKeyTaskRunner()));
}

} // namespace net
